Blog

Cybersecurity Month Brings Awareness to Financial Institutions

With the rise of the internet and the wave of online banking that followed, cybersecurity is becoming a hot-button topic. Because most information and financial assets are accessible from online avenues now—or in the case of cryptocurrencies, are entirely digital in nature—practicing good cyber hygiene is essential in keeping information from online hackers, thieves, and scammers.

Yes: October was officially Cybersecurity Month, but this is a year round issue, so it's always a good time to remind employees and consumers to be careful with their data and systems. Let’s dive in to learn more about cybersecurity, understand some of the statistics and terms associated with it, and how much it can cost an agency or institution, should they fall prey.

What is Cybersecurity?

Cybersecurity, in its most basic forms, can be anything from firewalls to endpoint detections, and even captcha tests. Also, “security questions” and other online forms that require personal information input all exist under the umbrella of cybersecurity, as well. One favorite technique used by hackers and scammers is called social engineering, and it’s imperative that employees and consumers become familiar with the tactics employed in these scams.

How Does Social Engineering Relate to Cybersecurity?

Social engineering, in regard to cybersecurity, is the reason why most people and their employees are likely to become victims of fraud. Social engineers exploit the one weakness that is found in each and every organization: human psychology. Using a variety of media, including phone calls and social media, email, and even in-person visits, these attackers trick people into offering them access to sensitive information.

“Social engineers” design specific formats and online platforms, in some cases even building clones of well known (and trusted) websites to scam people from, and successfully manipulate a victim into taking specific actions like, say, wiring hundreds or thousands to a prospective client or partner. Moreover, unfortunately, social engineer scams and phishing accounts only seem to be growing, year after year.

What do Social Engineering Tactics and Breaks in Cybersecurity Look Like?

There are many forms of social engineering scams and cybersecurity breeches. This list takes a look at some of the most common forms that everyone needs to become familiar with.

Phishing Scams

There’s a reason why phishing scams and other forms of online financial fraud are so easy to fall for: It can be incredibly hard to make them out from the real things they represent. A case-and-point example is email-driving phishing scams. They seek to obtain personal information—like legal, addresses, security numbers, and banking information—to help “facilitate” transactions; these are especially common after-tax season when scam agencies claim to be IRS agents that are keen on taking funds for unpaid taxes. In some cases, they’ll even shorten or embedded URL links, which appear to be legitimate, to later redirect them to a fraudulent website.

Spear phishing

Spear phishing is a technique that fraudulently acquires private information by sending customized emails to few system users. The difference between phishing attacks and spearfishing attacks because is that phishing scams send out high volumes of emails with the expectation that only a few people will respond, whereas spear phishing emails require the attacker to take a more substantial, targeted interest in their targets in order to "trick" end users into performing requested activities. The success rate of spear-phishing attacks is considerably higher than phishing attacks.

Pretexting

According to Social Engineer.org, “pretexting is defined as the practice of presenting oneself as someone else to obtain private information. It is more than just creating a lie, in some cases, it can be creating a whole new identity and then using that identity to manipulate the receipt of information.”

Baiting

Baiting is similar to a Trojan horse virus that uses physical media and relies on the curiosity of the victim. In this type of attack, attackers leave some malware-infected CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and enticing labels.“For example, an attacker may create a disk featuring a corporate logo, available from the target's website, and label it "Executive Salary Summary Q2 2012". The attacker then leaves the disk on the floor of an elevator or somewhere in the lobby of the target company. An unknowing employee may find it and insert the media into a computer to satisfy his or her curiosity, or a good Samaritan may see it and return it to the company. In any case, just inserting the disk into a computer installs malware, giving attackers access to the victim's PC and, perhaps, the target company's internal computer network.

Vishing

Vishing uses a fake interactive voice response system to recreate a legitimate-sounding copy of a bank or other institution's system. The victim is prompted (typically via a phishing e-mail) to call into the "bank" via an (ideally toll-free) number provided to "verify" information. A typical vishing system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker/defrauder, who poses as a customer service agent or security expert for further questioning of the victim.

How Prevalent is it, and How Much Can it Cost?

Unfortunately, cybersecurity hacks and scam campaigns only seem to be increasing, year after year. And they're costing both businesses and consumers thousands, in some cases tens or hundreds of thousands.

In 2017 alone, phishing scams increased over 50 percent from the prior year, affecting both consumers and the company’s they affiliate with. The Social Engineer has research to show that social engineered phishing scams make up about 70 percent of all financial cybersecurity attacks. Even worse, they found that the average business loses $43,000 per account, while subjected individuals lost about $4,200 per scam. In some instances, hundreds of thousands of dollars were lost in both personal and company-wide phishing scams.

In Summary: Trust Your Gut and Educate Your Employees on the Matter

By now, it’s probably clear to you that cybersecurity, especially in regards to social engineering, is a digital topic we should all heed and familiarize ourselves with.

However, even if you don’t have time to go down the many internet rabbit holes on the subject, remember to follow your gut and intuition. If that email or online requests seems a bit odd or, frankly, “too good to be true”—then it probably is. If you’re suspicious about an email or request, check with the consumer.ftc.org before taking action to make sure you don’t throw away thousands to a scam. Be sure the link you are clicking on is real. If you are suspicious that a link is may not be valid, open a new browser window and type in the URL to the company yourself before attempting to log in. If you’re not sure an email requesting money from a source that is familiar to you is real, ask that person for confirmation directly.

Especially for smaller community banks and credit unions, preventing such scams from costing you a pretty penny starts with educating employees on the matter. Consider looking into formal cybersecurity training for your organization. When you and your employees take cybersecurity seriously, it’s a win-win situation for your institution, employees, and customers. It is also an excellent time to look into a Cyber Risk Management Policy. A liability policy that accesses breach response coverage addressing technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access.